npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
MITRE ATLAS
MITRE D3FEND
Authorized Testing Disclaimer: The offensive techniques and attack simulations described in this skill are intended exclusively for authorized penetration testing, red team engagements, purple team exercises, and security research conducted with explicit written permission from the system owner. Unauthorized use of these techniques against systems you do not own or have permission to test is illegal and unethical. Always operate within the scope of your engagement and comply with applicable laws and regulations.
Overview
NTLM relay attacks intercept NTLM authentication messages and forward them to a target service to gain unauthorized access. Attackers use tools like Responder for LLMNR/NBT-NS/mDNS poisoning, ntlmrelayx (Fox-IT/Impacket) for multi-protocol relay, and coercion techniques like PetitPotam (MS-EFSRPC) and DFSCoerce to force authentication from high-value targets like domain controllers. This skill provides a comprehensive event correlation framework using Windows Security Event 4624 LogonType 3 analysis, IP-to-hostname mismatch detection, Responder traffic identification, SMB/LDAP signing audit, and NTLM downgrade detection to identify relay attacks across Active Directory environments.
When to Use
- Hunting for credential relay activity in Active Directory environments where NTLM authentication is still in use
- Investigating alerts for authentication anomalies where the source IP does not match the expected workstation
- Auditing SMB signing and LDAP signing enforcement to assess exposure to relay attacks
- Detecting NTLM downgrade attacks where NTLMv2 is forced to NTLMv1 for easier offline cracking or relay
- Building SIEM correlation rules for MITRE ATT&CK T1557.001 (LLMNR/NBT-NS Poisoning and SMB Relay)
- Responding to PetitPotam, DFSCoerce, or PrinterBug coercion alerts that may precede relay attacks
- During purple team exercises validating NTLM relay detection and SMB signing enforcement
Do not use without centralized Windows Security Event Log collection, as a substitute for enforcing SMB signing and Extended Protection for Authentication (EPA) which prevent relay attacks at the protocol level, or without an IP-to-hostname inventory for correlation.
Prerequisites
- Windows Advanced Audit Policy configured to capture Event IDs 4624, 4625, 4648, 4776, and 8004
- Centralized log collection via Windows Event Forwarding (WEF) or agent-based shipping to SIEM
- SIEM platform (Splunk, Elastic, Microsoft Sentinel) with correlation and alerting capability
- IP address to hostname mapping inventory (DHCP logs, DNS records, or CMDB)
- Network monitoring for LLMNR (UDP 5355), NBT-NS (UDP 137), and mDNS (UDP 5353) traffic
- Understanding of MITRE ATT&CK T1557.001 and T1187 (Forced Authentication)
Workflow
Step 1: Understand NTLM Relay Attack Flow
The NTLM relay attack follows a three-phase pattern: coercion/poisoning, interception, and relay.
Phase 1 -- Coercion or Poisoning: The attacker forces or tricks a victim into initiating NTLM authentication. Methods include LLMNR/NBT-NS poisoning (Responder), PetitPotam (MS-EFSRPC abuse), PrinterBug (SpoolService), and DFSCoerce.
Phase 2 -- Interception: The attacker captures the NTLM Type 1 (Negotiate) and Type 3 (Authenticate) messages from the victim.
Phase 3 -- Relay: The attacker forwards the captured NTLM messages to a target service (SMB, LDAP, HTTP, MSSQL) to authenticate as the victim. This succeeds only when message signing is not enforced.
Victim ──NTLM Negotiate──> Attacker ──NTLM Negotiate──> Target
Victim <──NTLM Challenge── Attacker <──NTLM Challenge── Target
Victim ──NTLM Authenticate──> Attacker ──NTLM Authenticate──> Target
↓
Attacker authenticated
as Victim on TargetKey Detection Insight: In a relay attack, Event 4624 on the target will show the victim's username but the attacker's IP address. The WorkstationName field may still reflect the victim's machine. This IP-to-hostname mismatch is the primary detection signal.
Step 2: Event 4624 LogonType 3 Analysis for Relay Detection
# Splunk: Detect IP-to-Hostname Mismatches in Network Logons
# Core NTLM relay detection -- correlates WorkstationName with IpAddress
index=wineventlog EventCode=4624 LogonType=3
AuthenticationPackageName="NTLM" LmPackageName="NTLM V2"
| where TargetUserName != "ANONYMOUS LOGON"
AND TargetUserName != "-"
AND NOT match(TargetUserName, ".*\\$$")
| eval workstation_lower=lower(WorkstationName)
| lookup dns_inventory.csv hostname AS workstation_lower OUTPUT expected_ip
| where isnotnull(expected_ip) AND IpAddress != expected_ip
| table _time ComputerName TargetUserName WorkstationName IpAddress expected_ip
LogonProcessName AuthenticationPackageName
| sort -_time
| rename ComputerName as TargetHost, IpAddress as ActualSourceIP,
expected_ip as ExpectedSourceIP# Splunk: Detect Rapid Multi-Host Authentication (Relay Spraying)
# Attackers relay captured credentials to multiple targets quickly
index=wineventlog EventCode=4624 LogonType=3
AuthenticationPackageName="NTLM"
| where TargetUserName != "ANONYMOUS LOGON"
AND NOT match(TargetUserName, ".*\\$$")
| bin _time span=2m
| stats dc(ComputerName) as target_count values(ComputerName) as targets
values(IpAddress) as source_ips by _time TargetUserName
| where target_count > 3
| table _time TargetUserName source_ips target_count targets
| sort -target_count# Splunk: Detect NTLM Authentication from Non-Workstation IPs
# Relay tools often run from Linux attack boxes not in DNS/DHCP inventory
index=wineventlog EventCode=4624 LogonType=3
AuthenticationPackageName="NTLM"
| where TargetUserName != "ANONYMOUS LOGON"
AND NOT match(TargetUserName, ".*\\$$")
| lookup dhcp_leases.csv ip AS IpAddress OUTPUT mac_address hostname
| where isnull(hostname)
| stats count dc(ComputerName) as targets_hit values(ComputerName) as target_hosts
by IpAddress TargetUserName WorkstationName
| where count > 1
| table IpAddress TargetUserName WorkstationName targets_hit target_hosts count
| sort -targets_hit-- Microsoft Sentinel KQL: NTLM Relay Detection via IP-Hostname Mismatch
let known_hosts = datatable(WorkstationName:string, ExpectedIP:string)
[
// Populate from CMDB or use DeviceNetworkInfo table
];
SecurityEvent
| where EventID == 4624 and LogonType == 3
| where AuthenticationPackageName == "NTLM"
| where TargetUserName !endswith "$"
| where TargetUserName != "ANONYMOUS LOGON"
| where IpAddress != "-" and IpAddress != "::1" and IpAddress != "127.0.0.1"
| extend WorkstationClean = toupper(trim_end(@"\s+", WorkstationName))
| join kind=inner (known_hosts) on WorkstationName
| where IpAddress != ExpectedIP
| project TimeGenerated, Computer, TargetUserName, WorkstationName,
IpAddress, ExpectedIP, LogonProcessName, AuthenticationPackageName,
LmPackageName
| sort by TimeGenerated desc-- Microsoft Sentinel KQL: Rapid NTLM Authentication to Multiple Targets
SecurityEvent
| where EventID == 4624 and LogonType == 3
| where AuthenticationPackageName == "NTLM"
| where TargetUserName !endswith "$"
| where TargetUserName != "ANONYMOUS LOGON"
| summarize TargetCount=dcount(Computer),
Targets=make_set(Computer),
SourceIPs=make_set(IpAddress),
AuthCount=count()
by TargetUserName, bin(TimeGenerated, 2m)
| where TargetCount > 3
| project TimeGenerated, TargetUserName, SourceIPs, TargetCount, Targets, AuthCount
| sort by TargetCount descStep 3: Responder Detection via Network and Event Analysis
# Splunk: Detect Responder LLMNR/NBT-NS Poisoning via Network Logs
# Responder answers LLMNR (UDP 5355) and NBT-NS (UDP 137) queries
index=network sourcetype=zeek_dns
| where query_type IN ("LLMNR", "NBNS")
OR id.resp_p IN (5355, 137)
| stats dc(id.orig_h) as victims count by id.resp_h answers
| where count > 10
| rename id.resp_h as responder_ip
| table responder_ip victims answers count
| sort -count# Splunk: Detect LLMNR/NBT-NS Response from Non-DNS Servers
# Legitimate DNS servers respond to these; Responder impersonates them
index=network sourcetype="bro:dns:json" OR sourcetype="zeek:conn:json"
| where id_resp_p=5355 OR id_resp_p=137
| where NOT cidrmatch("10.10.0.0/24", id_resp_h)
| stats count dc(id_orig_h) as unique_victims by id_resp_h
| where unique_victims > 3
| table id_resp_h unique_victims count
| rename id_resp_h as suspicious_responder# PowerShell: Detect LLMNR and NBT-NS activity on local network
# Run on a monitoring host to identify Responder-like behavior
# Check if LLMNR is disabled (should be disabled to prevent poisoning)
$llmnr = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" `
-Name "EnableMulticast" -ErrorAction SilentlyContinue
Write-Host "[*] LLMNR Status: $(if ($llmnr.EnableMulticast -eq 0) { 'DISABLED (Good)' } else { 'ENABLED (Vulnerable to Responder)' })"
# Check if NBT-NS is disabled
$adapters = Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter "IPEnabled=True"
foreach ($adapter in $adapters) {
$nbtns = $adapter.TcpipNetbios
$status = switch ($nbtns) {
0 { "Default (Enabled)" }
1 { "Enabled" }
2 { "Disabled (Good)" }
}
Write-Host "[*] Adapter '$($adapter.Description)' NBT-NS: $status"
}
# Query Windows Firewall logs for LLMNR/NBT-NS traffic
Get-WinEvent -LogName "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" `
-MaxEvents 1000 -ErrorAction SilentlyContinue |
Where-Object {
$_.Message -match "5355|137" -and $_.Message -match "UDP"
} |
Select-Object TimeCreated, @{N='Detail';E={$_.Message.Substring(0,200)}} |
Format-Table -AutoSize# Sigma Rule: Responder LLMNR/NBT-NS Poisoning Detection
title: Potential Responder LLMNR/NBT-NS Poisoning Activity
id: 7a8b9c0d-e1f2-3a4b-5c6d-7e8f9a0b1c2d
status: stable
description: >
Detects a single host responding to LLMNR (UDP 5355) or NBT-NS (UDP 137)
queries from multiple unique sources, indicating possible Responder poisoning.
references:
- https://www.hackthebox.com/blog/ntlm-relay-attack-detection
- https://blog.fox-it.com/2017/05/09/relaying-credentials-everywhere-with-ntlmrelayx/
logsource:
category: firewall
detection:
selection:
dst_port:
- 5355
- 137
action: allow
condition: selection | count(src_ip) by dst_ip > 5
timeframe: 5m
level: high
tags:
- attack.credential_access
- attack.t1557.001
falsepositives:
- Legitimate WINS servers or DNS servers responding to broadcast queries
- Network discovery tools performing name resolutionStep 4: SMB Signing Enforcement Audit
# PowerShell: Audit SMB Signing Status Across Domain
# SMB signing prevents NTLM relay to SMB services
# Check local SMB signing configuration
Write-Host "=== LOCAL SMB SIGNING STATUS ==="
$smbServer = Get-SmbServerConfiguration
Write-Host "[*] SMB Server RequireSecuritySignature: $($smbServer.RequireSecuritySignature)"
Write-Host "[*] SMB Server EnableSecuritySignature: $($smbServer.EnableSecuritySignature)"
$smbClient = Get-SmbClientConfiguration
Write-Host "[*] SMB Client RequireSecuritySignature: $($smbClient.RequireSecuritySignature)"
Write-Host "[*] SMB Client EnableSecuritySignature: $($smbClient.EnableSecuritySignature)"
# Check via registry (works on older systems)
$serverSigning = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" `
-Name "RequireSecuritySignature" -ErrorAction SilentlyContinue
$clientSigning = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanManWorkstation\Parameters" `
-Name "RequireSecuritySignature" -ErrorAction SilentlyContinue
Write-Host "`n=== REGISTRY VALUES ==="
Write-Host "[*] Server RequireSecuritySignature: $($serverSigning.RequireSecuritySignature) (1=Required, 0=Not Required)"
Write-Host "[*] Client RequireSecuritySignature: $($clientSigning.RequireSecuritySignature) (1=Required, 0=Not Required)"# PowerShell: Domain-Wide SMB Signing Audit
# Scan all domain computers for SMB signing enforcement
$domainComputers = Get-ADComputer -Filter * -Properties OperatingSystem |
Where-Object { $_.OperatingSystem -like "*Windows*" -and $_.Enabled -eq $true } |
Select-Object -ExpandProperty DNSHostName
$results = @()
foreach ($computer in $domainComputers) {
try {
$session = New-CimSession -ComputerName $computer -ErrorAction Stop
$smbConfig = Get-SmbServerConfiguration -CimSession $session -ErrorAction Stop
$results += [PSCustomObject]@{
Computer = $computer
RequireSigning = $smbConfig.RequireSecuritySignature
EnableSigning = $smbConfig.EnableSecuritySignature
Status = if ($smbConfig.RequireSecuritySignature) { "ENFORCED" } else { "VULNERABLE" }
}
Remove-CimSession $session
} catch {
$results += [PSCustomObject]@{
Computer = $computer
RequireSigning = "ERROR"
EnableSigning = "ERROR"
Status = "UNREACHABLE"
}
}
}
# Display results sorted by vulnerability
$results | Sort-Object Status | Format-Table -AutoSize
# Export vulnerable hosts
$vulnerable = $results | Where-Object { $_.Status -eq "VULNERABLE" }
Write-Host "`n[!] VULNERABLE HOSTS (SMB Signing Not Required): $($vulnerable.Count)"
$vulnerable | Export-Csv -Path "smb_signing_audit.csv" -NoTypeInformation# PowerShell: Audit LDAP Signing Status on Domain Controllers
# LDAP signing prevents NTLM relay to LDAP/LDAPS services
# Check LDAP signing requirement on domain controllers
$dcs = Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName
foreach ($dc in $dcs) {
# Check LDAP server signing requirement
$ldapSigning = Invoke-Command -ComputerName $dc -ScriptBlock {
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters"
$value = Get-ItemProperty -Path $regPath -Name "LDAPServerIntegrity" -ErrorAction SilentlyContinue
return $value.LDAPServerIntegrity
} -ErrorAction SilentlyContinue
$status = switch ($ldapSigning) {
0 { "NONE (Vulnerable)" }
1 { "Negotiate Signing (Default - Vulnerable to relay)" }
2 { "Require Signing (Secure)" }
default { "Unknown/Error" }
}
Write-Host "[*] $dc LDAP Signing: $status"
# Check LDAP channel binding
$channelBinding = Invoke-Command -ComputerName $dc -ScriptBlock {
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters"
$value = Get-ItemProperty -Path $regPath -Name "LdapEnforceChannelBinding" -ErrorAction SilentlyContinue
return $value.LdapEnforceChannelBinding
} -ErrorAction SilentlyContinue
$cbStatus = switch ($channelBinding) {
0 { "Disabled (Vulnerable)" }
1 { "When Supported" }
2 { "Always Required (Secure)" }
default { "Not Configured (Vulnerable)" }
}
Write-Host "[*] $dc LDAP Channel Binding: $cbStatus"
}# Splunk: Monitor for SMB sessions without signing
# Requires Zeek SMB logging or packet capture analysis
index=network sourcetype="zeek:smb_mapping:json" OR sourcetype="bro:smb_mapping:json"
| where NOT security_mode="signing_required"
| stats count dc(id_orig_h) as unique_clients by id_resp_h security_mode
| sort -unique_clients
| rename id_resp_h as smb_server
| table smb_server security_mode unique_clients countStep 5: NTLM Downgrade Detection
# Splunk: Detect NTLMv1 Authentication (Downgrade from NTLMv2)
# NTLMv1 is weaker and easier to relay/crack -- should not be in use
index=wineventlog EventCode=4624 LogonType=3
LmPackageName="NTLM V1"
| where TargetUserName != "ANONYMOUS LOGON"
AND NOT match(TargetUserName, ".*\\$$")
| stats count values(ComputerName) as targets
values(IpAddress) as source_ips
by TargetUserName LmPackageName
| table TargetUserName LmPackageName source_ips targets count
| sort -count# Splunk: Detect NTLM Downgrade Attack Pattern
# NTLMv1 appearing after a period of only NTLMv2 suggests active downgrade
index=wineventlog EventCode=4624 LogonType=3
AuthenticationPackageName="NTLM"
| where TargetUserName != "ANONYMOUS LOGON"
| bin _time span=1h
| stats count(eval(LmPackageName="NTLM V1")) as ntlmv1_count
count(eval(LmPackageName="NTLM V2")) as ntlmv2_count
by _time
| where ntlmv1_count > 0
| eval ntlmv1_ratio = round(ntlmv1_count / (ntlmv1_count + ntlmv2_count) * 100, 2)
| table _time ntlmv1_count ntlmv2_count ntlmv1_ratio
| sort -_time-- Microsoft Sentinel KQL: NTLMv1 Downgrade Detection
SecurityEvent
| where EventID == 4624 and LogonType == 3
| where AuthenticationPackageName == "NTLM"
| where LmPackageName == "NTLM V1"
| where TargetUserName !endswith "$"
| where TargetUserName != "ANONYMOUS LOGON"
| project TimeGenerated, Computer, TargetUserName, WorkstationName,
IpAddress, LmPackageName, LogonProcessName
| sort by TimeGenerated desc# PowerShell: Detect NTLMv1 Authentication Events on Local System
$ntlmv1Events = Get-WinEvent -LogName Security -FilterXPath @"
*[System[(EventID=4624)]]
and
*[EventData[Data[@Name='LmPackageName']='NTLM V1']]
"@ -MaxEvents 500 -ErrorAction SilentlyContinue
if ($ntlmv1Events.Count -gt 0) {
Write-Host "[!] WARNING: $($ntlmv1Events.Count) NTLMv1 authentication events detected!" -ForegroundColor Red
$ntlmv1Events | ForEach-Object {
$xml = [xml]$_.ToXml()
$eventData = $xml.Event.EventData.Data
[PSCustomObject]@{
Time = $_.TimeCreated
TargetUser = ($eventData | Where-Object { $_.Name -eq "TargetUserName" }).'#text'
Workstation = ($eventData | Where-Object { $_.Name -eq "WorkstationName" }).'#text'
SourceIP = ($eventData | Where-Object { $_.Name -eq "IpAddress" }).'#text'
LmPackage = ($eventData | Where-Object { $_.Name -eq "LmPackageName" }).'#text'
}
} | Format-Table -AutoSize
} else {
Write-Host "[+] No NTLMv1 authentication events found (Good)" -ForegroundColor Green
}
# Audit GPO settings for NTLM restriction
Write-Host "`n=== NTLM RESTRICTION POLICY ==="
$ntlmPolicy = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" `
-Name "LmCompatibilityLevel" -ErrorAction SilentlyContinue
$level = switch ($ntlmPolicy.LmCompatibilityLevel) {
0 { "Send LM & NTLM responses (Most Vulnerable)" }
1 { "Send LM & NTLM - use NTLMv2 session security if negotiated" }
2 { "Send NTLM response only" }
3 { "Send NTLMv2 response only (Recommended minimum)" }
4 { "Send NTLMv2 response only, refuse LM" }
5 { "Send NTLMv2 response only, refuse LM & NTLM (Most Secure)" }
default { "Not configured (defaults to 3 on modern Windows)" }
}
Write-Host "[*] LmCompatibilityLevel: $($ntlmPolicy.LmCompatibilityLevel) - $level"Step 6: NTLM Audit and Restriction Policy Configuration
# PowerShell: Enable NTLM Auditing via Group Policy Registry Settings
# Must be applied via GPO for domain-wide coverage
# Audit all NTLM authentication in this domain
# GPO: Computer Configuration > Policies > Windows Settings > Security Settings >
# Local Policies > Security Options >
# Network Security: Restrict NTLM: Audit NTLM authentication in this domain = Enable all
# Registry equivalent (apply via GPO preferences or startup script)
# Domain Controller setting:
# Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" `
# -Name "AuditNTLMInDomain" -Value 7 -Type DWord
# Audit incoming NTLM traffic on all servers:
# Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" `
# -Name "AuditReceivingNTLMTraffic" -Value 2 -Type DWord
# After enabling auditing, NTLM events appear in:
# Applications and Services Logs > Microsoft > Windows > NTLM > Operational
# Query NTLM operational log for audit events
Get-WinEvent -LogName "Microsoft-Windows-NTLM/Operational" -MaxEvents 200 -ErrorAction SilentlyContinue |
Where-Object { $_.Id -in @(8001, 8002, 8003, 8004) } |
Select-Object TimeCreated, Id,
@{N='EventType'; E={
switch ($_.Id) {
8001 { "NTLM client blocked audit" }
8002 { "NTLM server blocked audit" }
8003 { "NTLM server blocked in domain" }
8004 { "NTLM authentication to DC audit" }
}
}},
@{N='Detail'; E={$_.Message.Substring(0, [Math]::Min(300, $_.Message.Length))}} |
Format-Table -AutoSize# Splunk: Monitor NTLM Audit Events (Event ID 8004)
# Shows all NTLM authentications passing through domain controllers
index=wineventlog source="WinEventLog:Microsoft-Windows-NTLM/Operational"
EventCode=8004
| rex field=Message "Calling client name:\s+(?<client_name>[^\r\n]+)"
| rex field=Message "Calling client IP:\s+(?<client_ip>[^\r\n]+)"
| rex field=Message "Server name:\s+(?<server_name>[^\r\n]+)"
| stats count dc(server_name) as unique_servers by client_name client_ip
| sort -count
| table client_name client_ip unique_servers countStep 7: PetitPotam and Coercion Attack Detection
# Splunk: Detect PetitPotam / EFSCoerce Attack
# Monitor for machine account NTLM authentications relayed to other services
index=wineventlog EventCode=4624 LogonType=3
AuthenticationPackageName="NTLM"
TargetUserName="*$"
| where match(TargetUserName, "^[A-Z0-9\\-]+\\$$")
| eval is_dc = if(match(TargetUserName, "(DC|DCSERVER|DOMCTRL)"), "Yes", "No")
| where IpAddress != "127.0.0.1" AND IpAddress != "::1"
| stats count values(ComputerName) as target_hosts
values(IpAddress) as source_ips by TargetUserName
| where count > 2 OR mvcount(source_ips) > 1
| table TargetUserName source_ips target_hosts count
| sort -count-- Microsoft Sentinel KQL: PetitPotam / Coercion Attack Detection
-- Detects domain controller machine account authenticating from unexpected IPs
let dc_accounts = SecurityEvent
| where EventID == 4624 and LogonType == 3
| where TargetUserName endswith "$"
| where Computer startswith "DC"
| distinct TargetUserName;
SecurityEvent
| where EventID == 4624 and LogonType == 3
| where AuthenticationPackageName == "NTLM"
| where TargetUserName in (dc_accounts)
| where IpAddress != "127.0.0.1" and IpAddress != "::1"
| extend SourceHostExpected = iff(
Computer == replace_string(TargetUserName, "$", ""), true, false)
| where SourceHostExpected == false
| project TimeGenerated, Computer, TargetUserName, IpAddress,
WorkstationName, LogonProcessName, AuthenticationPackageName
| sort by TimeGenerated desc# Sigma Rule: NTLM Relay - Computer Account Authentication from Unexpected Source
title: Potential NTLM Relay of Computer Account Credentials
id: 5e6f7a8b-9c0d-1e2f-3a4b-5c6d7e8f9a0b
status: stable
description: >
Detects a computer account (ending in $) authenticating via NTLM LogonType 3
where the source IP does not match the computer's known IP, indicating possible
NTLM relay of coerced machine authentication (PetitPotam, DFSCoerce, PrinterBug).
references:
- https://www.crowdstrike.com/en-us/blog/how-to-detect-domain-controller-account-relay-attacks-with-crowdstrike-identity-protection/
- https://www.fox-it.com/nl-en/research-blog/detecting-and-hunting-for-the-petitpotam-ntlm-relay-attack/
- https://www.nccgroup.com/research-blog/detecting-and-hunting-for-the-petitpotam-ntlm-relay-attack/
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
AuthenticationPackageName: NTLM
TargetUserName|endswith: '$'
filter_localhost:
IpAddress:
- '127.0.0.1'
- '::1'
- '-'
condition: selection and not filter_localhost
level: high
tags:
- attack.credential_access
- attack.t1557.001
- attack.t1187
falsepositives:
- Legitimate NTLM authentication from machine accounts during failover
- Cluster service machine account authenticationStep 8: Build Comprehensive Correlation Dashboard
# Splunk: NTLM Relay Detection Dashboard -- Combined Correlation Query
# Panel 1: IP-Hostname Mismatches (Core Relay Indicator)
index=wineventlog EventCode=4624 LogonType=3 AuthenticationPackageName="NTLM"
| where TargetUserName != "ANONYMOUS LOGON" AND NOT match(TargetUserName, ".*\\$$")
| eval mismatch=if(lower(WorkstationName) != lower(mvindex(split(IpAddress, "."), 0)),
"POSSIBLE_MISMATCH", "OK")
| where mismatch="POSSIBLE_MISMATCH"
| stats count by TargetUserName WorkstationName IpAddress ComputerName
# Panel 2: NTLMv1 Downgrade Events
index=wineventlog EventCode=4624 LmPackageName="NTLM V1"
| timechart span=1h count by ComputerName
# Panel 3: Machine Account Relay (PetitPotam Indicator)
index=wineventlog EventCode=4624 LogonType=3 AuthenticationPackageName="NTLM"
TargetUserName="*$"
| stats count values(IpAddress) as relay_sources by TargetUserName ComputerName
# Panel 4: NTLM Authentication Volume Anomaly
index=wineventlog EventCode=4624 LogonType=3 AuthenticationPackageName="NTLM"
| timechart span=15m count
| streamstats window=20 avg(count) as avg_count stdev(count) as stdev_count
| eval upper_bound=avg_count + (3 * stdev_count)
| where count > upper_bound
# Panel 5: SMB Signing Status (from audit results)
| inputlookup smb_signing_audit.csv
| stats count by Status
| table Status countKey Concepts
| Term | Definition |
|---|---|
| NTLM Relay (T1557.001) | Attack that intercepts NTLM authentication messages and forwards them to a target service, authenticating as the victim without knowing their password |
| Event 4624 LogonType 3 | Windows Security Event for successful network logon -- the primary event generated on relay targets; source IP field reveals the relay attacker's address |
| IP-Hostname Mismatch | When Event 4624 WorkstationName field does not correspond to the IpAddress field, indicating the authentication was relayed through a third party |
| Responder | Attack tool that poisons LLMNR (UDP 5355), NBT-NS (UDP 137), and mDNS (UDP 5353) responses to capture NTLM authentication from victims on the local network |
| ntlmrelayx | Fox-IT/Impacket tool that relays captured NTLM authentication to SMB, LDAP, HTTP, MSSQL, and other protocols to gain unauthorized access |
| SMB Signing | Cryptographic signing of SMB packets that prevents relay attacks against SMB services; must be set to "Required" (not just "Enabled") for protection |
| LDAP Signing | Cryptographic signing of LDAP operations that prevents relay attacks against LDAP services on domain controllers; controlled by LDAPServerIntegrity registry value |
| LDAP Channel Binding | Extended Protection for Authentication (EPA) that binds the NTLM authentication to the TLS channel, preventing relay to LDAPS |
| NTLMv1 Downgrade | Attack forcing authentication from NTLMv2 to the weaker NTLMv1 protocol, which is easier to crack offline and has weaker relay protections |
| PetitPotam | Coercion technique abusing MS-EFSRPC to force a domain controller to authenticate to an attacker-controlled host, enabling relay to AD CS or LDAP |
| LmCompatibilityLevel | Registry setting controlling which NTLM version is used; value of 5 (Send NTLMv2 only, refuse LM and NTLM) provides strongest protection |
| Event 8004 | NTLM operational log event on domain controllers showing all NTLM authentication pass-through, critical for auditing NTLM usage before restriction |
Tools & Systems
| Tool | Purpose |
|---|---|
| Splunk / Elastic SIEM | Log aggregation and correlation for Event 4624 analysis, IP-hostname mismatch detection, and NTLM downgrade monitoring |
| Microsoft Sentinel | Cloud SIEM with KQL queries for NTLM relay detection and built-in analytics rules for PetitPotam |
| CrowdStrike Falcon Identity Protection | Detects NTLM relay attacks against domain controller accounts regardless of coercion method used |
| Responder | LLMNR/NBT-NS/mDNS poisoning tool used by attackers -- understanding its behavior is essential for detection |
| ntlmrelayx (Impacket) | Multi-protocol NTLM relay tool developed by Fox-IT -- used in testing and by adversaries |
| PingCastle | Active Directory security assessment tool that audits SMB signing, LDAP signing, and NTLM configuration |
| Zeek | Network security monitor for capturing SMB signing negotiation, LLMNR traffic, and DCE-RPC activity |
| Sigma | Vendor-agnostic detection rule format for portable NTLM relay detection rules |
Common Scenarios
Scenario 1: Responder Poisoning with NTLM Relay to File Server
Context: A SOC analyst observes multiple Event 4624 LogonType 3 entries on a file server (10.10.20.100) where the WorkstationName field shows different workstation names but the IpAddress field consistently shows 10.10.5.50, a host not in the IT asset inventory.
Approach:
- Query Event 4624 on 10.10.20.100 filtered for IpAddress=10.10.5.50: find 15 successful NTLM logons in 30 minutes from 8 different user accounts
- Cross-reference 10.10.5.50 with DHCP logs and DNS: host is not a registered domain member, MAC address shows a Linux-based NIC
- Query Zeek network logs for 10.10.5.50: identify LLMNR responses (UDP 5355) to multiple workstations and SMB connections to 10.10.20.100
- Confirm IP-hostname mismatch: WorkstationName values (WS-FINANCE01, WS-HR03, etc.) all resolve to different IPs in DNS, not 10.10.5.50
- Check SMB signing on 10.10.20.100: RequireSecuritySignature is False, enabling the relay attack
- Contain: block 10.10.5.50 at the switch, force password reset for all 8 affected accounts, enable SMB signing on the file server
- Remediate: disable LLMNR and NBT-NS via GPO, enforce SMB signing domain-wide
Pitfalls:
- Dismissing the multiple logons as normal network activity without checking the IP-hostname correlation
- Not checking SMB signing status on the target server to understand why the relay succeeded
- Only resetting the password for one user instead of all accounts that were relayed
Scenario 2: PetitPotam Relay to AD Certificate Services
Context: During a threat hunt, an analyst finds Event 4624 LogonType 3 on the AD CS server (ADCS01) showing the domain controller machine account (DC01$) authenticating via NTLM from IP 10.10.5.50, which is not the DC's IP address (10.10.1.10).
Approach:
- Confirm the anomaly: DC01$ should only authenticate from 10.10.1.10, but Event 4624 shows authentication from 10.10.5.50 via NTLM (not Kerberos)
- Check for certificate enrollment: query AD CS logs for certificate requests from DC01$ around the same timestamp -- find a certificate issued for DC01$
- Identify the attack: PetitPotam coerced DC01 to authenticate to 10.10.5.50, which relayed the authentication to ADCS01 to request a certificate for DC01$
- Assess impact: with a DC certificate, the attacker can authenticate as DC01$ and perform DCSync to extract all domain credentials
- Revoke the fraudulently issued certificate immediately
- Check for DCSync activity: query Event 4662 for directory replication from non-DC sources
- Contain: isolate 10.10.5.50, revoke certificate, patch EFS (MS-EFSRPC), enforce EPA on AD CS, require LDAP signing on all DCs
Pitfalls:
- Not recognizing that machine account NTLM authentication from an unexpected IP is a critical indicator of coercion + relay
- Failing to check AD CS for fraudulent certificate issuance, which represents the actual objective of the attack
- Not auditing LDAP signing and EPA on AD CS servers, which would have prevented the relay
Output Format
Hunt ID: TH-NTLM-RELAY-[DATE]-[SEQ]
Alert Severity: Critical
MITRE Technique: T1557.001 (LLMNR/NBT-NS Poisoning and SMB Relay)
Relay Indicators:
Victim Account: [Domain\Username or Machine$]
WorkstationName: [Victim hostname from Event 4624]
Expected Source IP: [IP matching WorkstationName in DNS/DHCP]
Actual Source IP: [Attacker/relay IP from Event 4624 IpAddress field]
Target Host: [Server receiving the relayed authentication]
Authentication Details:
Event ID: 4624
LogonType: 3 (Network)
AuthenticationPackage: NTLM
LmPackageName: [NTLM V1 or NTLM V2]
LogonProcess: [NtLmSsp]
Timestamp: [Event time]
Signing Status:
Target SMB Signing: [Required/Not Required]
Target LDAP Signing: [Required/Not Required]
LDAP Channel Binding: [Required/Not Required]
Poisoning Evidence:
LLMNR Activity: [Detected/Not Detected from relay IP]
NBT-NS Activity: [Detected/Not Detected from relay IP]
Coercion Method: [PetitPotam/DFSCoerce/PrinterBug/Unknown]
Risk Assessment: [Critical - relay from DC / High - relay from user account]
Recommended Actions:
- Immediate: [Block relay IP, reset affected credentials]
- Short-term: [Enable SMB/LDAP signing, disable LLMNR/NBT-NS]
- Long-term: [Migrate to Kerberos, enforce EPA, restrict NTLM via GPO]References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md7.2 KB
NTLM Relay Detection API Reference
MITRE ATT&CK Mapping
| Technique | ID | Description |
|---|---|---|
| LLMNR/NBT-NS Poisoning and SMB Relay | T1557.001 | Poisoning name resolution to capture and relay NTLM auth |
| Forced Authentication | T1187 | Coercing systems to authenticate (PetitPotam, PrinterBug) |
| Adversary-in-the-Middle | T1557 | Parent technique for relay and poisoning attacks |
| Exploitation for Credential Access | T1212 | Exploiting protocol weaknesses for credential theft |
Windows Security Event IDs for NTLM Relay Detection
| Event ID | Log | Relay Significance |
|---|---|---|
| 4624 (Type 3) | Security | Network logon -- primary relay detection event. Check IP vs WorkstationName |
| 4625 | Security | Failed logon -- relay failures leave traces here |
| 4648 | Security | Explicit credential logon -- may appear in some relay scenarios |
| 4776 | Security | NTLM credential validation on domain controller |
| 8001 | NTLM Operational | NTLM client blocked audit |
| 8002 | NTLM Operational | NTLM server blocked audit |
| 8003 | NTLM Operational | NTLM server blocked in domain |
| 8004 | NTLM Operational | NTLM authentication to DC audit (critical for inventory) |
Event 4624 Key Fields for Relay Detection
| Field | Normal Value | Relay Indicator |
|---|---|---|
| LogonType | 3 | Always 3 for network relay |
| AuthenticationPackageName | NTLM | Must be NTLM (Kerberos cannot be relayed) |
| LmPackageName | NTLM V2 | NTLM V1 indicates downgrade attack |
| WorkstationName | Victim hostname | Name of victim machine (not the relay host) |
| IpAddress | Victim IP | Attacker/relay IP (MISMATCH = relay indicator) |
| LogonProcessName | NtLmSsp | Standard for NTLM logon |
| ImpersonationLevel | Delegation/Impersonation | High privilege relay |
SMB Signing Registry Keys
| Registry Path | Value | Secure Setting |
|---|---|---|
| HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature | REG_DWORD | 1 (Required) |
| HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature | REG_DWORD | 1 (Enabled) |
| HKLM\SYSTEM\CurrentControlSet\Services\LanManWorkstation\Parameters\RequireSecuritySignature | REG_DWORD | 1 (Required) |
LDAP Signing Registry Keys (Domain Controllers)
| Registry Path | Value | Meaning |
|---|---|---|
| HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity | 0 | None (Vulnerable) |
| 1 | Negotiate (Default - Vulnerable) | |
| 2 | Required (Secure) | |
| HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding | 0 | Disabled (Vulnerable) |
| 1 | When Supported | |
| 2 | Always Required (Secure) |
NTLM Configuration Registry Keys
| Registry Path | Value | Meaning |
|---|---|---|
| HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel | 0 | Send LM & NTLM (Most Vulnerable) |
| 1 | Send LM & NTLM, NTLMv2 session if negotiated | |
| 2 | Send NTLM only | |
| 3 | Send NTLMv2 only (Recommended minimum) | |
| 4 | Send NTLMv2 only, refuse LM | |
| 5 | Send NTLMv2 only, refuse LM & NTLM (Most Secure) | |
| HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast | 0 | LLMNR Disabled (Secure) |
| 1 | LLMNR Enabled (Vulnerable to Responder) |
Network Indicators
| Protocol | Port | Attack Role |
|---|---|---|
| UDP | 5355 | LLMNR -- Responder poisoning target |
| UDP | 137 | NBT-NS -- Responder poisoning target |
| UDP | 5353 | mDNS -- Responder poisoning target |
| TCP | 445 | SMB -- relay target (if signing not enforced) |
| TCP | 389 | LDAP -- relay target (if signing not enforced) |
| TCP | 636 | LDAPS -- relay target (if channel binding not enforced) |
| TCP | 80/443 | HTTP(S) -- relay target for AD CS enrollment |
| TCP | 135 | RPC -- used for coercion (PetitPotam, PrinterBug) |
Coercion Methods
| Method | Protocol | Vulnerability | Target |
|---|---|---|---|
| PetitPotam | MS-EFSRPC | CVE-2021-36942 | Domain controllers -> AD CS |
| DFSCoerce | MS-DFSNM | N/A | Domain controllers |
| PrinterBug (SpoolSample) | MS-RPRN | By design | Any host with Print Spooler |
| ShadowCoerce | MS-FSRVP | N/A | Hosts with File Server VSS Agent |
Splunk SPL - NTLM Relay Detection Queries
# IP-hostname mismatch detection
index=wineventlog EventCode=4624 LogonType=3 AuthenticationPackageName="NTLM"
| where TargetUserName != "ANONYMOUS LOGON"
| lookup dns_inventory hostname AS WorkstationName OUTPUT expected_ip
| where isnotnull(expected_ip) AND IpAddress != expected_ip
| table _time ComputerName TargetUserName WorkstationName IpAddress expected_ip
# NTLMv1 downgrade detection
index=wineventlog EventCode=4624 LmPackageName="NTLM V1"
| where TargetUserName != "ANONYMOUS LOGON"
| stats count by TargetUserName IpAddress ComputerName
# Machine account relay (PetitPotam indicator)
index=wineventlog EventCode=4624 LogonType=3 AuthenticationPackageName="NTLM"
TargetUserName="*$"
| stats dc(IpAddress) as source_count values(IpAddress) as sources by TargetUserName
| where source_count > 1KQL - Microsoft Sentinel Queries
// NTLM relay IP-hostname mismatch
SecurityEvent
| where EventID == 4624 and LogonType == 3
| where AuthenticationPackageName == "NTLM"
| where TargetUserName !endswith "$" and TargetUserName != "ANONYMOUS LOGON"
| where IpAddress != "-" and IpAddress != "127.0.0.1"
| project TimeGenerated, Computer, TargetUserName, WorkstationName, IpAddress, LmPackageName
// NTLMv1 downgrade detection
SecurityEvent
| where EventID == 4624 and LmPackageName == "NTLM V1"
| where TargetUserName !endswith "$"
| summarize Count=count() by TargetUserName, IpAddress, Computerpython-evtx - Parse Security EVTX
from Evtx.Evtx import FileHeader
from lxml import etree
NS = {"evt": "http://schemas.microsoft.com/win/2004/08/events/event"}
with open("Security.evtx", "rb") as f:
fh = FileHeader(f)
for record in fh.records():
root = etree.fromstring(record.xml().encode("utf-8"))
eid = root.find(".//evt:System/evt:EventID", NS)
if eid is not None and eid.text == "4624":
data = {e.get("Name"): e.text for e in root.findall(".//evt:EventData/evt:Data", NS)}
if data.get("AuthenticationPackageName") == "NTLM" and data.get("LogonType") == "3":
print(data.get("TargetUserName"), data.get("WorkstationName"), data.get("IpAddress"))References
- Fox-IT ntlmrelayx: https://blog.fox-it.com/2017/05/09/relaying-credentials-everywhere-with-ntlmrelayx/
- Fox-IT PetitPotam Detection: https://www.fox-it.com/nl-en/research-blog/detecting-and-hunting-for-the-petitpotam-ntlm-relay-attack/
- CrowdStrike NTLM Relay Detection: https://www.crowdstrike.com/en-us/blog/how-to-detect-domain-controller-account-relay-attacks-with-crowdstrike-identity-protection/
- NCC Group PetitPotam: https://www.nccgroup.com/research-blog/detecting-and-hunting-for-the-petitpotam-ntlm-relay-attack/
- HackTheBox NTLM Relay Detection: https://www.hackthebox.com/blog/ntlm-relay-attack-detection
- Microsoft NTLMv1 Detection: https://dirteam.com/sander/2022/06/15/howto-detect-ntlmv1-authentication/
- MITRE T1557.001: https://attack.mitre.org/techniques/T1557/001/
Scripts 3
agent.py14.4 KB
#!/usr/bin/env python3
"""NTLM Relay Detection Agent - Detects NTLM relay via Event 4624 correlation and signing audit."""
import json
import logging
import argparse
import csv
import os
import sys
import subprocess
from collections import defaultdict
from datetime import datetime, timedelta
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
EVTX_NS = "http://schemas.microsoft.com/win/2004/08/events/event"
RAPID_AUTH_WINDOW_DEFAULT = 120
RAPID_AUTH_THRESHOLD_DEFAULT = 3
SUBPROCESS_TIMEOUT = 30
def parse_security_evtx(evtx_path):
"""Parse Windows Security EVTX for Event 4624/4625/4776."""
try:
from Evtx.Evtx import FileHeader
from lxml import etree
except ImportError:
logger.error("Required packages missing. Install: pip install python-evtx lxml")
sys.exit(1)
events = []
target_ids = {"4624", "4625", "4776"}
ns = {"evt": EVTX_NS}
with open(evtx_path, "rb") as f:
fh = FileHeader(f)
for record in fh.records():
try:
xml = record.xml()
root = etree.fromstring(xml.encode("utf-8"))
eid_elem = root.find(".//evt:System/evt:EventID", ns)
if eid_elem is None or eid_elem.text not in target_ids:
continue
data = {}
for elem in root.findall(".//evt:EventData/evt:Data", ns):
data[elem.get("Name", "")] = elem.text or ""
time_elem = root.find(".//evt:System/evt:TimeCreated", ns)
data["TimeCreated"] = time_elem.get("SystemTime", "") if time_elem is not None else ""
comp_elem = root.find(".//evt:System/evt:Computer", ns)
data["Computer"] = comp_elem.text if comp_elem is not None else ""
data["EventID"] = eid_elem.text
events.append(data)
except Exception:
continue
logger.info("Parsed %d security events from %s", len(events), evtx_path)
return events
def load_inventory(csv_path):
"""Load hostname-to-IP inventory from CSV (columns: hostname, ip_address)."""
inventory = {}
try:
with open(csv_path, "r", newline="") as f:
reader = csv.DictReader(f)
for row in reader:
hostname = row.get("hostname", "").strip().upper()
ip = row.get("ip_address", "").strip()
if hostname and ip:
inventory[hostname] = ip
except Exception as e:
logger.error("Failed to load inventory: %s", e)
logger.info("Loaded %d hosts from inventory", len(inventory))
return inventory
def detect_ip_hostname_mismatch(events, inventory):
"""Detect NTLM relay via IP-hostname mismatch in Event 4624 LogonType 3."""
findings = []
for ev in events:
if ev.get("EventID") != "4624" or ev.get("LogonType") != "3":
continue
if ev.get("AuthenticationPackageName") != "NTLM":
continue
user = ev.get("TargetUserName", "")
if user.endswith("$") or user in ("ANONYMOUS LOGON", "-", ""):
continue
source_ip = ev.get("IpAddress", "")
if source_ip in ("-", "::1", "127.0.0.1", ""):
continue
workstation = ev.get("WorkstationName", "").strip().upper()
if workstation in inventory:
expected = inventory[workstation]
if source_ip != expected:
findings.append({
"detection": "IP-Hostname Mismatch (NTLM Relay Indicator)",
"severity": "CRITICAL",
"mitre": "T1557.001",
"timestamp": ev.get("TimeCreated"),
"target_host": ev.get("Computer"),
"target_user": user,
"workstation": workstation,
"actual_ip": source_ip,
"expected_ip": expected,
"lm_package": ev.get("LmPackageName"),
})
logger.info("IP-hostname mismatch findings: %d", len(findings))
return findings
def detect_rapid_auth(events, window=RAPID_AUTH_WINDOW_DEFAULT, threshold=RAPID_AUTH_THRESHOLD_DEFAULT):
"""Detect rapid NTLM authentication to multiple targets (relay spraying)."""
findings = []
auth_groups = defaultdict(list)
for ev in events:
if ev.get("EventID") != "4624" or ev.get("LogonType") != "3":
continue
if ev.get("AuthenticationPackageName") != "NTLM":
continue
user = ev.get("TargetUserName", "")
ip = ev.get("IpAddress", "")
if user.endswith("$") or user in ("ANONYMOUS LOGON", "-", ""):
continue
if ip in ("-", "::1", "127.0.0.1", ""):
continue
try:
ts = datetime.fromisoformat(ev["TimeCreated"].replace("Z", "+00:00"))
except (ValueError, KeyError):
continue
auth_groups[(ip, user)].append({"ts": ts, "target": ev.get("Computer", "")})
for (ip, user), auths in auth_groups.items():
auths.sort(key=lambda x: x["ts"])
for i in range(len(auths)):
start = auths[i]["ts"]
end = start + timedelta(seconds=window)
targets = set()
for j in range(i, len(auths)):
if auths[j]["ts"] <= end:
targets.add(auths[j]["target"])
else:
break
if len(targets) >= threshold:
findings.append({
"detection": "Rapid Multi-Host NTLM Auth (Relay Spraying)",
"severity": "HIGH",
"mitre": "T1557.001",
"timestamp": start.isoformat(),
"source_ip": ip,
"target_user": user,
"unique_targets": len(targets),
"targets": sorted(targets),
"window_seconds": window,
})
break
logger.info("Rapid auth findings: %d", len(findings))
return findings
def detect_ntlmv1_downgrade(events):
"""Detect NTLMv1 authentication events indicating downgrade attack."""
findings = []
v1_by_user = defaultdict(list)
for ev in events:
if ev.get("EventID") != "4624" or ev.get("LogonType") != "3":
continue
lm = ev.get("LmPackageName", "")
if "NTLM V1" not in lm:
continue
user = ev.get("TargetUserName", "")
if user.endswith("$") or user in ("ANONYMOUS LOGON", "-", ""):
continue
v1_by_user[user].append({
"ts": ev.get("TimeCreated"),
"target": ev.get("Computer"),
"ip": ev.get("IpAddress"),
})
for user, auths in v1_by_user.items():
findings.append({
"detection": "NTLMv1 Downgrade Detected",
"severity": "HIGH",
"mitre": "T1557.001",
"timestamp": auths[0]["ts"],
"target_user": user,
"ntlmv1_count": len(auths),
"source_ips": sorted(set(a["ip"] for a in auths)),
"targets": sorted(set(a["target"] for a in auths)),
})
logger.info("NTLMv1 downgrade findings: %d", len(findings))
return findings
def detect_machine_relay(events):
"""Detect machine account NTLM relay (PetitPotam, DFSCoerce, PrinterBug)."""
findings = []
machine_auths = defaultdict(list)
for ev in events:
if ev.get("EventID") != "4624" or ev.get("LogonType") != "3":
continue
if ev.get("AuthenticationPackageName") != "NTLM":
continue
user = ev.get("TargetUserName", "")
if not user.endswith("$"):
continue
ip = ev.get("IpAddress", "")
if ip in ("-", "::1", "127.0.0.1", ""):
continue
machine_auths[user].append({
"ts": ev.get("TimeCreated"),
"target": ev.get("Computer"),
"ip": ip,
})
for machine, auths in machine_auths.items():
ips = set(a["ip"] for a in auths)
if len(ips) > 1:
findings.append({
"detection": "Machine Account Relay (Coercion + NTLM Relay)",
"severity": "CRITICAL",
"mitre": "T1557.001",
"timestamp": auths[0]["ts"],
"machine_account": machine,
"source_ips": sorted(ips),
"targets": sorted(set(a["target"] for a in auths)),
"auth_count": len(auths),
})
logger.info("Machine account relay findings: %d", len(findings))
return findings
def audit_smb_signing_local():
"""Audit local SMB signing configuration (Windows only)."""
if sys.platform != "win32":
logger.info("SMB signing audit only available on Windows")
return {}
audit = {}
checks = {
"SMB_Server_RequireSign": (
r"HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters",
"RequireSecuritySignature"
),
"SMB_Client_RequireSign": (
r"HKLM\SYSTEM\CurrentControlSet\Services\LanManWorkstation\Parameters",
"RequireSecuritySignature"
),
"LmCompatibilityLevel": (
r"HKLM\SYSTEM\CurrentControlSet\Control\Lsa",
"LmCompatibilityLevel"
),
"LLMNR_Disabled": (
r"HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient",
"EnableMulticast"
),
}
for label, (key, value_name) in checks.items():
try:
result = subprocess.run(
["reg", "query", key, "/v", value_name],
capture_output=True, text=True, timeout=SUBPROCESS_TIMEOUT
)
if result.returncode == 0:
for line in result.stdout.splitlines():
if value_name in line:
parts = line.strip().split()
audit[label] = parts[-1] if parts else "UNKNOWN"
break
else:
audit[label] = "NOT_CONFIGURED"
except subprocess.TimeoutExpired:
audit[label] = "TIMEOUT"
except Exception as e:
audit[label] = f"ERROR: {e}"
# Evaluate risk
smb_server = audit.get("SMB_Server_RequireSign", "")
audit["SMB_Relay_Vulnerable"] = "YES" if smb_server != "0x1" else "NO"
lm_level = audit.get("LmCompatibilityLevel", "")
try:
lm_int = int(lm_level, 0)
audit["NTLMv1_Vulnerable"] = "YES" if lm_int < 3 else "NO"
except (ValueError, TypeError):
audit["NTLMv1_Vulnerable"] = "UNKNOWN"
llmnr = audit.get("LLMNR_Disabled", "")
audit["Responder_Vulnerable"] = "NO" if llmnr == "0x0" else "YES"
return audit
def generate_report(all_findings, smb_audit, output_path):
"""Generate JSON detection report."""
report = {
"scan_timestamp": datetime.utcnow().isoformat() + "Z",
"mitre_technique": "T1557.001",
"summary": {
"total_findings": len(all_findings),
"critical": len([f for f in all_findings if f.get("severity") == "CRITICAL"]),
"high": len([f for f in all_findings if f.get("severity") == "HIGH"]),
"medium": len([f for f in all_findings if f.get("severity") == "MEDIUM"]),
},
"findings": all_findings,
"smb_signing_audit": smb_audit,
}
with open(output_path, "w") as f:
json.dump(report, f, indent=2, default=str)
logger.info("Report saved to %s", output_path)
s = report["summary"]
print(f"\nNTLM RELAY DETECTION REPORT")
print(f" Total findings: {s['total_findings']}")
print(f" Critical: {s['critical']}, High: {s['high']}, Medium: {s['medium']}")
if s["critical"] > 0:
print(" [!!!] CRITICAL: IP-hostname mismatch or machine account relay detected")
if smb_audit.get("SMB_Relay_Vulnerable") == "YES":
print(" [!] WARNING: SMB signing NOT enforced on this host")
if smb_audit.get("Responder_Vulnerable") == "YES":
print(" [!] WARNING: LLMNR enabled - vulnerable to Responder poisoning")
return report
def main():
parser = argparse.ArgumentParser(
description="NTLM Relay Detection Agent (T1557.001)"
)
parser.add_argument("--evtx", required=True, help="Path to Windows Security .evtx file")
parser.add_argument("--inventory", help="CSV file with hostname,ip_address columns for mismatch detection")
parser.add_argument("--output", "-o", default="ntlm_relay_report.json",
help="Output JSON report path (default: ntlm_relay_report.json)")
parser.add_argument("--rapid-window", type=int, default=RAPID_AUTH_WINDOW_DEFAULT,
help=f"Rapid auth detection window in seconds (default: {RAPID_AUTH_WINDOW_DEFAULT})")
parser.add_argument("--rapid-threshold", type=int, default=RAPID_AUTH_THRESHOLD_DEFAULT,
help=f"Min unique targets for rapid auth alert (default: {RAPID_AUTH_THRESHOLD_DEFAULT})")
parser.add_argument("--audit-signing", action="store_true",
help="Audit local SMB/NTLM signing configuration (Windows only)")
parser.add_argument("--verbose", "-v", action="store_true", help="Enable debug logging")
args = parser.parse_args()
if args.verbose:
logging.getLogger().setLevel(logging.DEBUG)
if not os.path.isfile(args.evtx):
logger.error("EVTX file not found: %s", args.evtx)
sys.exit(1)
inventory = {}
if args.inventory:
if os.path.isfile(args.inventory):
inventory = load_inventory(args.inventory)
else:
logger.warning("Inventory file not found: %s", args.inventory)
logger.info("Parsing security events from: %s", args.evtx)
events = parse_security_evtx(args.evtx)
mismatch = detect_ip_hostname_mismatch(events, inventory) if inventory else []
rapid = detect_rapid_auth(events, args.rapid_window, args.rapid_threshold)
downgrade = detect_ntlmv1_downgrade(events)
machine = detect_machine_relay(events)
if not inventory:
logger.warning("No inventory provided (--inventory). IP-hostname mismatch detection disabled.")
all_findings = mismatch + machine + rapid + downgrade
all_findings.sort(key=lambda x: {"CRITICAL": 0, "HIGH": 1, "MEDIUM": 2, "LOW": 3}.get(
x.get("severity", "LOW"), 4))
smb_audit = audit_smb_signing_local() if args.audit_signing else {}
generate_report(all_findings, smb_audit, args.output)
if __name__ == "__main__":
main()
audit_smb_signing.ps113.6 KB
#Requires -Version 5.1
<#
.SYNOPSIS
Audits SMB signing, LDAP signing, and NTLM configuration across Active Directory.
.DESCRIPTION
This script performs a comprehensive audit of NTLM relay attack surface by checking:
- SMB signing enforcement on all domain-joined Windows hosts
- LDAP signing and channel binding on domain controllers
- LmCompatibilityLevel (NTLMv1 vs NTLMv2 enforcement)
- LLMNR and NBT-NS configuration
- NTLM restriction policies
Outputs results to CSV and provides a risk summary.
.PARAMETER OutputPath
Directory to save audit results. Defaults to current directory.
.PARAMETER DomainControllerOnly
Only audit domain controllers (faster for large environments).
.PARAMETER SkipConnectivity
Skip remote connectivity checks (only check local configuration).
.EXAMPLE
.\audit_smb_signing.ps1 -OutputPath C:\AuditResults
.\audit_smb_signing.ps1 -DomainControllerOnly
#>
[CmdletBinding()]
param(
[Parameter()]
[string]$OutputPath = ".",
[Parameter()]
[switch]$DomainControllerOnly,
[Parameter()]
[switch]$SkipConnectivity
)
$ErrorActionPreference = "Continue"
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
Write-Host @"
==============================================================================
NTLM Relay Attack Surface Audit
Checks SMB Signing, LDAP Signing, NTLM Configuration
MITRE ATT&CK: T1557.001
Run Time: $(Get-Date -Format "yyyy-MM-dd HH:mm:ss")
==============================================================================
"@
# ============================================================================
# Section 1: SMB Signing Audit
# ============================================================================
Write-Host "`n[*] Section 1: SMB Signing Audit" -ForegroundColor Cyan
$smbResults = @()
if ($DomainControllerOnly) {
Write-Host "[*] Scanning domain controllers only..."
$targets = Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName
} else {
Write-Host "[*] Scanning all domain computers..."
$targets = Get-ADComputer -Filter { Enabled -eq $true -and OperatingSystem -like "*Windows*" } |
Select-Object -ExpandProperty DNSHostName
}
Write-Host "[*] Found $($targets.Count) targets to audit"
$counter = 0
foreach ($target in $targets) {
$counter++
Write-Progress -Activity "Auditing SMB Signing" -Status "$target ($counter/$($targets.Count))" `
-PercentComplete (($counter / $targets.Count) * 100)
$result = [PSCustomObject]@{
Hostname = $target
Reachable = $false
SMBServerSignRequired = "Unknown"
SMBServerSignEnabled = "Unknown"
SMBClientSignRequired = "Unknown"
SMBClientSignEnabled = "Unknown"
RelayVulnerable = "Unknown"
ErrorDetail = ""
}
if (-not $SkipConnectivity) {
try {
$session = New-CimSession -ComputerName $target -OperationTimeoutSec 10 -ErrorAction Stop
$result.Reachable = $true
$serverConfig = Get-SmbServerConfiguration -CimSession $session -ErrorAction Stop
$result.SMBServerSignRequired = $serverConfig.RequireSecuritySignature
$result.SMBServerSignEnabled = $serverConfig.EnableSecuritySignature
try {
$clientConfig = Get-SmbClientConfiguration -CimSession $session -ErrorAction Stop
$result.SMBClientSignRequired = $clientConfig.RequireSecuritySignature
$result.SMBClientSignEnabled = $clientConfig.EnableSecuritySignature
} catch {
$result.SMBClientSignRequired = "Error"
$result.SMBClientSignEnabled = "Error"
}
# Determine relay vulnerability
if ($serverConfig.RequireSecuritySignature -eq $true) {
$result.RelayVulnerable = "No - SMB Signing Required"
} elseif ($serverConfig.EnableSecuritySignature -eq $true) {
$result.RelayVulnerable = "Partial - Signing Enabled but Not Required"
} else {
$result.RelayVulnerable = "YES - SMB Signing Not Enforced"
}
Remove-CimSession $session
} catch {
$result.ErrorDetail = $_.Exception.Message
$result.RelayVulnerable = "Unknown - Connection Failed"
}
}
$smbResults += $result
}
Write-Progress -Activity "Auditing SMB Signing" -Completed
$smbCsvPath = Join-Path $OutputPath "smb_signing_audit_$timestamp.csv"
$smbResults | Export-Csv -Path $smbCsvPath -NoTypeInformation
Write-Host "[*] SMB signing results saved to: $smbCsvPath"
$vulnerable = @($smbResults | Where-Object { $_.RelayVulnerable -like "YES*" })
$partial = @($smbResults | Where-Object { $_.RelayVulnerable -like "Partial*" })
$secure = @($smbResults | Where-Object { $_.RelayVulnerable -like "No*" })
Write-Host "`n SMB Signing Summary:"
Write-Host " Fully Protected (Signing Required): $($secure.Count)" -ForegroundColor Green
Write-Host " Partially Protected (Signing Enabled): $($partial.Count)" -ForegroundColor Yellow
Write-Host " VULNERABLE (Signing Not Enforced): $($vulnerable.Count)" -ForegroundColor Red
if ($vulnerable.Count -gt 0) {
Write-Host "`n [!] Vulnerable hosts:" -ForegroundColor Red
$vulnerable | Select-Object -First 10 | ForEach-Object {
Write-Host " $($_.Hostname)" -ForegroundColor Red
}
if ($vulnerable.Count -gt 10) {
Write-Host " ... and $($vulnerable.Count - 10) more (see CSV)" -ForegroundColor Red
}
}
# ============================================================================
# Section 2: LDAP Signing Audit (Domain Controllers)
# ============================================================================
Write-Host "`n[*] Section 2: LDAP Signing Audit (Domain Controllers)" -ForegroundColor Cyan
$ldapResults = @()
$dcs = Get-ADDomainController -Filter * | Select-Object HostName, IPv4Address, OperatingSystem
foreach ($dc in $dcs) {
$ldapResult = [PSCustomObject]@{
DCHostname = $dc.HostName
IPAddress = $dc.IPv4Address
OS = $dc.OperatingSystem
LDAPSigning = "Unknown"
ChannelBinding = "Unknown"
RelayToLDAP = "Unknown"
ErrorDetail = ""
}
try {
$ldapSigning = Invoke-Command -ComputerName $dc.HostName -ScriptBlock {
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters"
$signing = (Get-ItemProperty -Path $regPath -Name "LDAPServerIntegrity" -ErrorAction SilentlyContinue).LDAPServerIntegrity
$binding = (Get-ItemProperty -Path $regPath -Name "LdapEnforceChannelBinding" -ErrorAction SilentlyContinue).LdapEnforceChannelBinding
return @{ Signing = $signing; Binding = $binding }
} -ErrorAction Stop
$ldapResult.LDAPSigning = switch ($ldapSigning.Signing) {
0 { "None (VULNERABLE)" }
1 { "Negotiate (Default - VULNERABLE to relay)" }
2 { "Required (Secure)" }
default { "Not Configured (defaults to Negotiate - VULNERABLE)" }
}
$ldapResult.ChannelBinding = switch ($ldapSigning.Binding) {
0 { "Disabled (VULNERABLE)" }
1 { "When Supported" }
2 { "Always Required (Secure)" }
default { "Not Configured (VULNERABLE)" }
}
if ($ldapSigning.Signing -eq 2 -and $ldapSigning.Binding -eq 2) {
$ldapResult.RelayToLDAP = "No - Signing and Channel Binding Required"
} elseif ($ldapSigning.Signing -eq 2) {
$ldapResult.RelayToLDAP = "Partial - Signing Required but Channel Binding Not Enforced"
} else {
$ldapResult.RelayToLDAP = "YES - LDAP Relay Possible"
}
} catch {
$ldapResult.ErrorDetail = $_.Exception.Message
}
$ldapResults += $ldapResult
}
$ldapCsvPath = Join-Path $OutputPath "ldap_signing_audit_$timestamp.csv"
$ldapResults | Export-Csv -Path $ldapCsvPath -NoTypeInformation
Write-Host "[*] LDAP signing results saved to: $ldapCsvPath"
foreach ($r in $ldapResults) {
$color = if ($r.RelayToLDAP -like "YES*") { "Red" } elseif ($r.RelayToLDAP -like "Partial*") { "Yellow" } else { "Green" }
Write-Host " $($r.DCHostname): LDAP=$($r.LDAPSigning), ChannelBinding=$($r.ChannelBinding)" -ForegroundColor $color
}
# ============================================================================
# Section 3: NTLM Configuration Audit
# ============================================================================
Write-Host "`n[*] Section 3: NTLM Configuration Audit" -ForegroundColor Cyan
$ntlmResults = @()
foreach ($target in $targets | Select-Object -First 50) {
$ntlmResult = [PSCustomObject]@{
Hostname = $target
LmCompatLevel = "Unknown"
LmCompatDesc = "Unknown"
NTLMRestriction = "Unknown"
LLMNREnabled = "Unknown"
NBTNSEnabled = "Unknown"
NTLMv1Vulnerable = "Unknown"
ErrorDetail = ""
}
try {
$config = Invoke-Command -ComputerName $target -ScriptBlock {
$lmLevel = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" `
-Name "LmCompatibilityLevel" -ErrorAction SilentlyContinue).LmCompatibilityLevel
$llmnr = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" `
-Name "EnableMulticast" -ErrorAction SilentlyContinue).EnableMulticast
$ntlmRestrict = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" `
-Name "RestrictReceivingNTLMTraffic" -ErrorAction SilentlyContinue).RestrictReceivingNTLMTraffic
return @{
LmLevel = $lmLevel
LLMNR = $llmnr
NTLMRestrict = $ntlmRestrict
}
} -ErrorAction Stop
$ntlmResult.LmCompatLevel = $config.LmLevel
$ntlmResult.LmCompatDesc = switch ($config.LmLevel) {
0 { "Send LM & NTLM (CRITICAL - NTLMv1 active)" }
1 { "Send LM & NTLM, use NTLMv2 session if negotiated" }
2 { "Send NTLM only (NTLMv1)" }
3 { "Send NTLMv2 only (Recommended minimum)" }
4 { "Send NTLMv2 only, refuse LM" }
5 { "Send NTLMv2 only, refuse LM & NTLM (Most Secure)" }
default { "Not configured (defaults to 3)" }
}
$ntlmResult.NTLMv1Vulnerable = if ($config.LmLevel -lt 3 -and $null -ne $config.LmLevel) {
"YES - NTLMv1 may be used"
} else {
"No - NTLMv2 enforced"
}
$ntlmResult.LLMNREnabled = if ($config.LLMNR -eq 0) { "Disabled (Secure)" } else { "Enabled (VULNERABLE to Responder)" }
$ntlmResult.NTLMRestriction = switch ($config.NTLMRestrict) {
0 { "Allow all" }
1 { "Deny all domain accounts" }
2 { "Deny all accounts" }
default { "Not configured (Allow all)" }
}
} catch {
$ntlmResult.ErrorDetail = $_.Exception.Message
}
$ntlmResults += $ntlmResult
}
$ntlmCsvPath = Join-Path $OutputPath "ntlm_config_audit_$timestamp.csv"
$ntlmResults | Export-Csv -Path $ntlmCsvPath -NoTypeInformation
Write-Host "[*] NTLM configuration results saved to: $ntlmCsvPath"
$ntlmv1Vuln = @($ntlmResults | Where-Object { $_.NTLMv1Vulnerable -like "YES*" })
$llmnrVuln = @($ntlmResults | Where-Object { $_.LLMNREnabled -like "Enabled*" })
Write-Host "`n NTLM Configuration Summary:"
Write-Host " Hosts vulnerable to NTLMv1 downgrade: $($ntlmv1Vuln.Count)" -ForegroundColor $(if ($ntlmv1Vuln.Count -gt 0) { "Red" } else { "Green" })
Write-Host " Hosts with LLMNR enabled (Responder target): $($llmnrVuln.Count)" -ForegroundColor $(if ($llmnrVuln.Count -gt 0) { "Red" } else { "Green" })
# ============================================================================
# Section 4: Overall Risk Assessment
# ============================================================================
Write-Host "`n" + ("=" * 78) -ForegroundColor Cyan
Write-Host " OVERALL NTLM RELAY RISK ASSESSMENT" -ForegroundColor Cyan
Write-Host ("=" * 78) -ForegroundColor Cyan
$riskScore = 0
$recommendations = @()
if ($vulnerable.Count -gt 0) {
$riskScore += 30
$recommendations += "CRITICAL: Enforce SMB signing on $($vulnerable.Count) hosts via GPO"
}
$ldapVuln = @($ldapResults | Where-Object { $_.RelayToLDAP -like "YES*" })
if ($ldapVuln.Count -gt 0) {
$riskScore += 30
$recommendations += "CRITICAL: Enforce LDAP signing on $($ldapVuln.Count) domain controllers"
}
if ($ntlmv1Vuln.Count -gt 0) {
$riskScore += 20
$recommendations += "HIGH: Set LmCompatibilityLevel >= 3 on $($ntlmv1Vuln.Count) hosts to prevent NTLMv1"
}
if ($llmnrVuln.Count -gt 0) {
$riskScore += 20
$recommendations += "HIGH: Disable LLMNR via GPO on $($llmnrVuln.Count) hosts to prevent Responder poisoning"
}
$riskLevel = switch {
($riskScore -ge 60) { "CRITICAL" }
($riskScore -ge 40) { "HIGH" }
($riskScore -ge 20) { "MEDIUM" }
default { "LOW" }
}
$riskColor = switch ($riskLevel) {
"CRITICAL" { "Red" }
"HIGH" { "Red" }
"MEDIUM" { "Yellow" }
"LOW" { "Green" }
}
Write-Host "`n Risk Level: $riskLevel (Score: $riskScore/100)" -ForegroundColor $riskColor
Write-Host "`n Recommendations:" -ForegroundColor White
foreach ($rec in $recommendations) {
Write-Host " - $rec" -ForegroundColor Yellow
}
if ($recommendations.Count -eq 0) {
Write-Host " - No critical issues found. Continue monitoring NTLM usage via Event 8004." -ForegroundColor Green
}
Write-Host "`n Output Files:"
Write-Host " - $smbCsvPath"
Write-Host " - $ldapCsvPath"
Write-Host " - $ntlmCsvPath"
Write-Host "`n" + ("=" * 78) -ForegroundColor Cyan
detect_ntlm_relay.py23.0 KB
#!/usr/bin/env python3
"""
NTLM Relay Detection via Event Correlation Script
Parses Windows Security event logs to detect NTLM relay attacks through
IP-hostname mismatch analysis, NTLMv1 downgrade detection, rapid multi-host
authentication patterns, and machine account relay indicators.
MITRE ATT&CK: T1557.001 (LLMNR/NBT-NS Poisoning and SMB Relay)
Usage:
python detect_ntlm_relay.py --evtx <security.evtx>
python detect_ntlm_relay.py --evtx <security.evtx> --inventory hosts.csv
python detect_ntlm_relay.py --evtx <security.evtx> --json --output results.json
Requirements:
pip install python-evtx lxml
"""
import argparse
import csv
import json
import sys
import os
from datetime import datetime, timedelta
from collections import defaultdict
try:
import Evtx.Evtx as evtx
from lxml import etree
except ImportError:
print("[!] Required packages not found. Install with: pip install python-evtx lxml")
sys.exit(1)
EVENT_NS = "http://schemas.microsoft.com/win/2004/08/events/event"
# Default time window for rapid authentication detection (seconds)
RAPID_AUTH_WINDOW = 120
# Minimum number of unique targets to flag rapid authentication
RAPID_AUTH_THRESHOLD = 3
def parse_security_event(record_xml):
"""Parse a Windows Security event record XML into a dictionary."""
try:
root = etree.fromstring(record_xml)
except etree.XMLSyntaxError:
return None
ns = {"e": EVENT_NS}
event = {}
system = root.find(".//e:System", ns)
if system is not None:
event_id_elem = system.find("e:EventID", ns)
event["EventID"] = int(event_id_elem.text) if event_id_elem is not None else 0
time_elem = system.find("e:TimeCreated", ns)
if time_elem is not None:
event["TimeCreated"] = time_elem.get("SystemTime", "")
computer_elem = system.find("e:Computer", ns)
event["Computer"] = computer_elem.text if computer_elem is not None else ""
event_data = root.find(".//e:EventData", ns)
if event_data is not None:
for data in event_data.findall("e:Data", ns):
name = data.get("Name", "")
value = data.text or ""
event[name] = value
return event
def load_host_inventory(csv_path):
"""
Load hostname-to-IP mapping from CSV file.
Expected columns: hostname,ip_address
"""
inventory = {}
try:
with open(csv_path, "r", newline="") as f:
reader = csv.DictReader(f)
for row in reader:
hostname = row.get("hostname", "").strip().upper()
ip = row.get("ip_address", "").strip()
if hostname and ip:
inventory[hostname] = ip
except Exception as e:
print(f"[!] Error loading inventory from {csv_path}: {e}")
return inventory
def is_internal_ip(ip):
"""Check if an IP address is in RFC1918 private ranges."""
if not ip or ip in ("-", "::1", "127.0.0.1"):
return False
parts = ip.split(".")
if len(parts) != 4:
return False
try:
first = int(parts[0])
second = int(parts[1])
if first == 10:
return True
if first == 172 and 16 <= second <= 31:
return True
if first == 192 and second == 168:
return True
except ValueError:
return False
return False
def detect_ip_hostname_mismatch(events, inventory):
"""
Detect NTLM relay by finding Event 4624 LogonType 3 entries where
the WorkstationName does not match the expected IP for that hostname.
"""
findings = []
for event in events:
if event.get("EventID") != 4624:
continue
if event.get("LogonType") != "3":
continue
if event.get("AuthenticationPackageName") != "NTLM":
continue
target_user = event.get("TargetUserName", "")
workstation = event.get("WorkstationName", "").strip().upper()
source_ip = event.get("IpAddress", "")
computer = event.get("Computer", "")
timestamp = event.get("TimeCreated", "")
lm_package = event.get("LmPackageName", "")
# Skip machine accounts and anonymous logons
if target_user.endswith("$") or target_user in ("ANONYMOUS LOGON", "-", ""):
continue
if source_ip in ("-", "::1", "127.0.0.1", ""):
continue
# Check against inventory
if workstation in inventory:
expected_ip = inventory[workstation]
if source_ip != expected_ip:
findings.append({
"timestamp": timestamp,
"detection_type": "IP-Hostname Mismatch (NTLM Relay Indicator)",
"severity": "CRITICAL",
"mitre": "T1557.001",
"target_host": computer,
"target_user": target_user,
"workstation_name": workstation,
"actual_source_ip": source_ip,
"expected_source_ip": expected_ip,
"lm_package": lm_package,
"explanation": (
f"Event 4624 shows {target_user} authenticating from "
f"workstation '{workstation}' but source IP is {source_ip} "
f"(expected {expected_ip}). This IP mismatch is a primary "
f"indicator of NTLM relay."
),
})
return findings
def detect_rapid_multi_host_auth(events, window_seconds=RAPID_AUTH_WINDOW,
threshold=RAPID_AUTH_THRESHOLD):
"""
Detect rapid NTLM authentication to multiple targets from the same source,
indicating relay spraying or credential relay.
"""
findings = []
# Group events by source IP and user
auth_by_source = defaultdict(list)
for event in events:
if event.get("EventID") != 4624:
continue
if event.get("LogonType") != "3":
continue
if event.get("AuthenticationPackageName") != "NTLM":
continue
target_user = event.get("TargetUserName", "")
source_ip = event.get("IpAddress", "")
if target_user.endswith("$") or target_user in ("ANONYMOUS LOGON", "-", ""):
continue
if source_ip in ("-", "::1", "127.0.0.1", ""):
continue
try:
ts = datetime.fromisoformat(event["TimeCreated"].replace("Z", "+00:00"))
except (ValueError, KeyError):
continue
key = (source_ip, target_user)
auth_by_source[key].append({
"timestamp": ts,
"target_host": event.get("Computer", ""),
"workstation": event.get("WorkstationName", ""),
})
# Analyze each source for rapid multi-host authentication
for (source_ip, target_user), auth_list in auth_by_source.items():
auth_list.sort(key=lambda x: x["timestamp"])
# Sliding window analysis
for i in range(len(auth_list)):
window_start = auth_list[i]["timestamp"]
window_end = window_start + timedelta(seconds=window_seconds)
targets_in_window = set()
events_in_window = []
for j in range(i, len(auth_list)):
if auth_list[j]["timestamp"] <= window_end:
targets_in_window.add(auth_list[j]["target_host"])
events_in_window.append(auth_list[j])
else:
break
if len(targets_in_window) >= threshold:
findings.append({
"timestamp": window_start.isoformat(),
"detection_type": "Rapid Multi-Host NTLM Authentication (Relay Spraying)",
"severity": "HIGH",
"mitre": "T1557.001",
"source_ip": source_ip,
"target_user": target_user,
"unique_targets": len(targets_in_window),
"target_hosts": sorted(targets_in_window),
"event_count": len(events_in_window),
"window_seconds": window_seconds,
"explanation": (
f"User '{target_user}' authenticated via NTLM from {source_ip} "
f"to {len(targets_in_window)} unique targets in {window_seconds}s. "
f"Rapid multi-host authentication is consistent with ntlmrelayx spraying."
),
})
break # One finding per source/user pair
return findings
def detect_ntlmv1_downgrade(events):
"""
Detect NTLMv1 authentication which indicates a downgrade attack.
NTLMv1 is weaker and should not be in use in modern environments.
"""
findings = []
ntlmv1_by_user = defaultdict(list)
for event in events:
if event.get("EventID") != 4624:
continue
if event.get("LogonType") != "3":
continue
lm_package = event.get("LmPackageName", "")
if "NTLM V1" not in lm_package:
continue
target_user = event.get("TargetUserName", "")
if target_user.endswith("$") or target_user in ("ANONYMOUS LOGON", "-", ""):
continue
ntlmv1_by_user[target_user].append({
"timestamp": event.get("TimeCreated", ""),
"computer": event.get("Computer", ""),
"source_ip": event.get("IpAddress", ""),
"workstation": event.get("WorkstationName", ""),
})
for user, auth_list in ntlmv1_by_user.items():
targets = set(a["computer"] for a in auth_list)
source_ips = set(a["source_ip"] for a in auth_list)
findings.append({
"timestamp": auth_list[0]["timestamp"],
"detection_type": "NTLMv1 Authentication Detected (Downgrade Attack Indicator)",
"severity": "HIGH",
"mitre": "T1557.001",
"target_user": user,
"ntlmv1_event_count": len(auth_list),
"source_ips": sorted(source_ips),
"target_hosts": sorted(targets),
"explanation": (
f"User '{user}' authenticated {len(auth_list)} times using NTLMv1. "
f"NTLMv1 is deprecated and should not be in use. This may indicate "
f"a downgrade attack or misconfigured LmCompatibilityLevel."
),
})
return findings
def detect_machine_account_relay(events):
"""
Detect machine account NTLM authentication from unexpected IPs,
indicating PetitPotam, DFSCoerce, or PrinterBug coercion + relay.
"""
findings = []
machine_auths = defaultdict(list)
for event in events:
if event.get("EventID") != 4624:
continue
if event.get("LogonType") != "3":
continue
if event.get("AuthenticationPackageName") != "NTLM":
continue
target_user = event.get("TargetUserName", "")
source_ip = event.get("IpAddress", "")
# Only machine accounts (ending in $)
if not target_user.endswith("$"):
continue
if source_ip in ("-", "::1", "127.0.0.1", ""):
continue
machine_auths[target_user].append({
"timestamp": event.get("TimeCreated", ""),
"target_host": event.get("Computer", ""),
"source_ip": source_ip,
"workstation": event.get("WorkstationName", ""),
"lm_package": event.get("LmPackageName", ""),
})
for machine_account, auth_list in machine_auths.items():
source_ips = set(a["source_ip"] for a in auth_list)
target_hosts = set(a["target_host"] for a in auth_list)
# Flag if machine account authenticates from multiple source IPs
# or if source IP does not match expected machine IP
if len(source_ips) > 1:
findings.append({
"timestamp": auth_list[0]["timestamp"],
"detection_type": "Machine Account NTLM Auth from Multiple Sources (Coercion + Relay)",
"severity": "CRITICAL",
"mitre": "T1557.001",
"machine_account": machine_account,
"source_ips": sorted(source_ips),
"target_hosts": sorted(target_hosts),
"auth_count": len(auth_list),
"explanation": (
f"Machine account '{machine_account}' authenticated via NTLM from "
f"{len(source_ips)} different source IPs: {', '.join(sorted(source_ips))}. "
f"This indicates the machine's NTLM authentication was coerced "
f"(PetitPotam/DFSCoerce/PrinterBug) and relayed to "
f"{', '.join(sorted(target_hosts))}."
),
})
return findings
def detect_anonymous_ntlm_logons(events):
"""
Detect ANONYMOUS LOGON via NTLM which can indicate null session relay
or Responder activity.
"""
findings = []
anon_by_ip = defaultdict(list)
for event in events:
if event.get("EventID") != 4624:
continue
if event.get("LogonType") != "3":
continue
if event.get("AuthenticationPackageName") != "NTLM":
continue
target_user = event.get("TargetUserName", "")
if target_user != "ANONYMOUS LOGON":
continue
source_ip = event.get("IpAddress", "")
if source_ip in ("-", "::1", "127.0.0.1", ""):
continue
anon_by_ip[source_ip].append({
"timestamp": event.get("TimeCreated", ""),
"target_host": event.get("Computer", ""),
})
for source_ip, auth_list in anon_by_ip.items():
targets = set(a["target_host"] for a in auth_list)
if len(auth_list) >= 3:
findings.append({
"timestamp": auth_list[0]["timestamp"],
"detection_type": "Excessive ANONYMOUS NTLM Logons (Responder/Relay Probe)",
"severity": "MEDIUM",
"mitre": "T1557.001",
"source_ip": source_ip,
"anonymous_logon_count": len(auth_list),
"target_hosts": sorted(targets),
"explanation": (
f"Source IP {source_ip} performed {len(auth_list)} anonymous NTLM "
f"logons to {len(targets)} hosts. Excessive anonymous NTLM "
f"authentication may indicate Responder probing or null session relay."
),
})
return findings
def parse_evtx_file(filepath):
"""Parse a .evtx file and return list of parsed events."""
events = []
try:
with evtx.Evtx(filepath) as log:
for record in log.records():
try:
event = parse_security_event(record.xml())
if event and event.get("EventID") in (4624, 4625, 4648, 4776):
events.append(event)
except Exception:
continue
except Exception as e:
print(f"[!] Error parsing {filepath}: {e}")
return events
def print_findings(findings, title):
"""Print findings in a formatted table."""
if not findings:
print(f"\n[+] {title}: No findings")
return
print(f"\n{'=' * 80}")
print(f" {title} ({len(findings)} findings)")
print(f"{'=' * 80}")
for i, finding in enumerate(findings, 1):
severity = finding.get("severity", "N/A")
severity_marker = {
"CRITICAL": "[!!!]",
"HIGH": "[!!]",
"MEDIUM": "[!]",
"LOW": "[.]",
}.get(severity, "[?]")
print(f"\n {severity_marker} [{i}] {finding.get('detection_type', 'Unknown')}")
print(f" Severity: {severity}")
print(f" Time: {finding.get('timestamp', 'N/A')}")
if "target_user" in finding:
print(f" User: {finding['target_user']}")
if "machine_account" in finding:
print(f" Machine: {finding['machine_account']}")
if "source_ip" in finding:
print(f" Source IP: {finding['source_ip']}")
if "actual_source_ip" in finding:
print(f" Actual Source IP: {finding['actual_source_ip']}")
print(f" Expected Source IP: {finding.get('expected_source_ip', 'N/A')}")
if "workstation_name" in finding:
print(f" Workstation: {finding['workstation_name']}")
if "target_hosts" in finding:
hosts = finding["target_hosts"]
if len(hosts) <= 5:
print(f" Targets: {', '.join(hosts)}")
else:
print(f" Targets: {', '.join(hosts[:5])} ... (+{len(hosts)-5} more)")
if "source_ips" in finding:
print(f" Source IPs: {', '.join(finding['source_ips'])}")
print(f" Detail: {finding.get('explanation', 'N/A')}")
def main():
parser = argparse.ArgumentParser(
description="Detect NTLM relay attacks via Windows Security event log correlation"
)
parser.add_argument(
"--evtx", required=True,
help="Path to Windows Security .evtx log file"
)
parser.add_argument(
"--inventory",
help="Path to CSV file with hostname,ip_address columns for mismatch detection"
)
parser.add_argument(
"--json", action="store_true",
help="Output results in JSON format"
)
parser.add_argument(
"--output", "-o",
help="Output file path (default: stdout)"
)
parser.add_argument(
"--rapid-window", type=int, default=RAPID_AUTH_WINDOW,
help=f"Time window for rapid auth detection in seconds (default: {RAPID_AUTH_WINDOW})"
)
parser.add_argument(
"--rapid-threshold", type=int, default=RAPID_AUTH_THRESHOLD,
help=f"Min unique targets for rapid auth alert (default: {RAPID_AUTH_THRESHOLD})"
)
args = parser.parse_args()
if not os.path.exists(args.evtx):
print(f"[!] File not found: {args.evtx}")
sys.exit(1)
# Load host inventory if provided
inventory = {}
if args.inventory:
if os.path.exists(args.inventory):
inventory = load_host_inventory(args.inventory)
print(f"[*] Loaded {len(inventory)} hosts from inventory")
else:
print(f"[!] Inventory file not found: {args.inventory}")
print(f"[*] Parsing Security events from: {args.evtx}")
events = parse_evtx_file(args.evtx)
print(f"[*] Parsed {len(events)} relevant Security events (4624, 4625, 4648, 4776)")
ntlm_4624 = [e for e in events if e.get("EventID") == 4624
and e.get("AuthenticationPackageName") == "NTLM"]
print(f"[*] Found {len(ntlm_4624)} NTLM LogonType 3 events for analysis")
print("[*] Running NTLM relay detection modules...")
# Run all detection modules
mismatch_findings = detect_ip_hostname_mismatch(events, inventory) if inventory else []
rapid_auth_findings = detect_rapid_multi_host_auth(
events, args.rapid_window, args.rapid_threshold
)
ntlmv1_findings = detect_ntlmv1_downgrade(events)
machine_relay_findings = detect_machine_account_relay(events)
anon_findings = detect_anonymous_ntlm_logons(events)
all_findings = (
mismatch_findings + rapid_auth_findings + ntlmv1_findings
+ machine_relay_findings + anon_findings
)
all_results = {
"scan_time": datetime.utcnow().isoformat() + "Z",
"security_log": args.evtx,
"inventory_file": args.inventory or "Not provided",
"inventory_hosts": len(inventory),
"total_events_parsed": len(events),
"ntlm_logon_events": len(ntlm_4624),
"detection_modules": {
"ip_hostname_mismatch": {
"enabled": bool(inventory),
"findings": mismatch_findings,
"count": len(mismatch_findings),
},
"rapid_multi_host_auth": {
"enabled": True,
"findings": rapid_auth_findings,
"count": len(rapid_auth_findings),
"window_seconds": args.rapid_window,
"threshold": args.rapid_threshold,
},
"ntlmv1_downgrade": {
"enabled": True,
"findings": ntlmv1_findings,
"count": len(ntlmv1_findings),
},
"machine_account_relay": {
"enabled": True,
"findings": machine_relay_findings,
"count": len(machine_relay_findings),
},
"anonymous_ntlm_logons": {
"enabled": True,
"findings": anon_findings,
"count": len(anon_findings),
},
},
"summary": {
"total_findings": len(all_findings),
"critical": len([f for f in all_findings if f.get("severity") == "CRITICAL"]),
"high": len([f for f in all_findings if f.get("severity") == "HIGH"]),
"medium": len([f for f in all_findings if f.get("severity") == "MEDIUM"]),
"low": len([f for f in all_findings if f.get("severity") == "LOW"]),
},
}
if args.json:
output = json.dumps(all_results, indent=2, default=str)
if args.output:
with open(args.output, "w") as f:
f.write(output)
print(f"[*] JSON results written to: {args.output}")
else:
print(output)
else:
print(f"\n[*] NTLM Relay Detection Report")
print(f"[*] Scan Time: {all_results['scan_time']}")
print(f"[*] Events Analyzed: {all_results['total_events_parsed']}")
print(f"[*] NTLM Network Logons: {all_results['ntlm_logon_events']}")
if not inventory:
print("\n[!] WARNING: No host inventory provided (--inventory).")
print(" IP-hostname mismatch detection is DISABLED.")
print(" Provide a CSV with hostname,ip_address columns for full detection.")
print_findings(mismatch_findings, "IP-Hostname Mismatch Detection")
print_findings(rapid_auth_findings, "Rapid Multi-Host Authentication")
print_findings(ntlmv1_findings, "NTLMv1 Downgrade Detection")
print_findings(machine_relay_findings, "Machine Account Relay (Coercion)")
print_findings(anon_findings, "Anonymous NTLM Logon Analysis")
print(f"\n{'=' * 80}")
print(f" SUMMARY")
print(f"{'=' * 80}")
s = all_results["summary"]
print(f" Total Findings: {s['total_findings']}")
print(f" Critical: {s['critical']}")
print(f" High: {s['high']}")
print(f" Medium: {s['medium']}")
print(f" Low: {s['low']}")
if s["critical"] > 0:
print(f"\n [!!!] CRITICAL findings detected -- NTLM relay attack likely in progress!")
print(f" Recommended: Isolate source IPs, reset affected credentials,")
print(f" enforce SMB/LDAP signing, disable LLMNR/NBT-NS.")
if args.output:
with open(args.output, "w") as f:
json.dump(all_results, f, indent=2, default=str)
print(f"\n[*] Full results written to: {args.output}")
if __name__ == "__main__":
main()